This disclosure relates to public-key infrastructure (PKI)-based client/server authentication.
The expanding popularity of the Internet, especially the World Wide Web, has lured many people and businesses into the realm of network communications. There has been a corresponding growth in the transmission of confidential information over these networks. As a consequence, there is an increasing need for security in communications over the Internet. In particular, there is a critical need for improved approaches to ensuring the confidentiality of private information.
Many operating systems, including UNIX and Microsoft Windows™, support a security protocol implemented through a Secure Sockets Layer (SSL) library. In these systems, the SSL provides authentication and data privacy over the Internet. However, SSL implementation has some disadvantages. The SSL 1.0 provides server authentication but not client authentication. The SSL 3.0 provides mechanisms for client authentication but requires storage and management of client certificates.
For example, Web browsers that support the SSL 3.0 warn the user of connecting to a site with an unlisted certificate. An unlisted certificate site refers to a site with a certificate signed by a certificate authority not in the authority trust list such as CyberTrust or VeriSign. In this case, the browser requires the user's certificate to be placed into the client certificate list. The browser further requires the selection of this certificate every time a connection is made to the web server.
Public-key infrastructure (PKI) is a combination of software, encryption technologies, and services that provides security for communications and business transactions over public and private networks. The PKI technology provides several aspects of security needs such as authentication, privacy, data integrity, and non-repudiation.